In order to infect other systems in the Peer to Peer network community the following action is performed: It retrieves shared folders by querying the following registry keys: • Software\BearShare\General • Software\iMesh\General • Software\Shareaza\Shareaza\Downloads • Software\Kazaa\LocalContent • Software\DC++ • Software\eMule • Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule Plus_is1

It searches for directories that contain the following substring: • \Local Settings\Application Data\Ares\My Shared Folder

Messenger

It is spreading via Messenger. The characteristics are described below:

– Windows Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

Backdoor

Contact server: The following: • ms.mob**********.com:1863 (UDP)

Stealing

It tries to steal the following information: – Recorded passwords used by the AutoComplete function